Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PodSecurity: benchmark and optimize privileged namespace evaluations #104588

Merged
merged 4 commits into from
Sep 22, 2021
Merged

PodSecurity: benchmark and optimize privileged namespace evaluations #104588

merged 4 commits into from
Sep 22, 2021

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Aug 25, 2021
edited
Loading

What type of PR is this?

/kind feature

Add benchmarks and optimize the "all privileged" case (which is the default for clusters upgraded to a version that enables this admission plugin)

benchmark                                                           old ns/op     new ns/op     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          1595          225           -85.89%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   1703          234           -86.28%
BenchmarkVerifyPod/enforce-privileged_pod-12                        1600          245           -84.68%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 1712          254           -85.18%
BenchmarkVerifyPod/enforce-baseline_pod-12                          2906          2850          -1.93%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   1714          255           -85.14%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3170          3125          -1.42%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 1726          261           -84.88%
BenchmarkVerifyPod/warn-baseline_pod-12                             2883          2841          -1.46%
BenchmarkVerifyPod/warn-baseline_deployment-12                      2985          2913          -2.41%
BenchmarkVerifyPod/warn-restricted_pod-12                           3143          3176          +1.05%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3295          3157          -4.19%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5210          5132          -1.50%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4213          4069          -3.42%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4387          4252          -3.08%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4415          4316          -2.24%

benchmark                                                           old allocs     new allocs     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          12             1              -91.67%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   14             1              -92.86%
BenchmarkVerifyPod/enforce-privileged_pod-12                        12             1              -91.67%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 14             1              -92.86%
BenchmarkVerifyPod/enforce-baseline_pod-12                          17             17             +0.00%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   14             1              -92.86%
BenchmarkVerifyPod/enforce-restricted_pod-12                        17             17             +0.00%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 14             1              -92.86%
BenchmarkVerifyPod/warn-baseline_pod-12                             17             17             +0.00%
BenchmarkVerifyPod/warn-baseline_deployment-12                      19             19             +0.00%
BenchmarkVerifyPod/warn-restricted_pod-12                           17             17             +0.00%
BenchmarkVerifyPod/warn-restricted_deployment-12                    19             19             +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               27             27             +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        24             24             +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            22             22             +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     24             24             +0.00%

benchmark                                                           old bytes     new bytes     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          2120          112           -94.72%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   2304          112           -95.14%
BenchmarkVerifyPod/enforce-privileged_pod-12                        2120          112           -94.72%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 2304          112           -95.14%
BenchmarkVerifyPod/enforce-baseline_pod-12                          3368          3368          +0.00%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   2304          112           -95.14%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3368          3368          +0.00%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 2304          112           -95.14%
BenchmarkVerifyPod/warn-baseline_pod-12                             3368          3368          +0.00%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3552          3552          +0.00%
BenchmarkVerifyPod/warn-restricted_pod-12                           3368          3368          +0.00%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3552          3552          +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5864          5864          +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4800          4800          +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4616          4616          +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4800          4800          +0.00%

Does this PR introduce a user-facing change?

NONE

xref kubernetes/enhancements#2579
/cc @tallclair

@liggitt liggitt added kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Aug 25, 2021
@liggitt liggitt added this to the v1.23 milestone Aug 25, 2021
@k8s-ci-robot k8s-ci-robot added the release-note-none Denotes a PR that doesn't merit a release note. label Aug 25, 2021
@k8s-ci-robot k8s-ci-robot requested a review from tallclair August 25, 2021 21:11
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 25, 2021
@k8s-ci-robot
Copy link
Contributor

@liggitt: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Aug 25, 2021
@tallclair tallclair self-assigned this Aug 25, 2021
@liggitt liggitt force-pushed the podsecurity-benchmark branch from 8b31e3b to 1b380e7 Compare August 26, 2021 12:48
@liggitt liggitt force-pushed the podsecurity-benchmark branch from 1b380e7 to 0ec4ccc Compare September 20, 2021 14:26
@liggitt liggitt changed the title WIP - PodSecurity: benchmark and optimize privileged namespace evaluations PodSecurity: benchmark and optimize privileged namespace evaluations Sep 20, 2021
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 20, 2021
@liggitt
Copy link
Member Author

liggitt commented Sep 20, 2021

this is ready for review, and should go in before we start making changes for metrics and aggregation

tallclair
tallclair reviewed Sep 20, 2021
View reviewed changes
Copy link
Member

@tallclair tallclair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a couple suggestions for further optimizations, but we can do those in a follow up if you want to get this merged ASAP.

@liggitt
PodSecurity: add admission benchmark
13e0887 
go test ./plugin/pkg/admission/security/podsecurity -bench /pod -benchmem
goos: darwin
goarch: amd64
pkg: k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity
cpu: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz
BenchmarkVerifyPod/enforce-implicit_pod-12         	  702789	      1585 ns/op	    2120 B/op	      12 allocs/op
BenchmarkVerifyPod/enforce-privileged_pod-12       	  737588	      1607 ns/op	    2120 B/op	      12 allocs/op
BenchmarkVerifyPod/enforce-baseline_pod-12         	  409818	      2974 ns/op	    3368 B/op	      17 allocs/op
BenchmarkVerifyPod/enforce-restricted_pod-12       	  370262	      3385 ns/op	    3368 B/op	      17 allocs/op
BenchmarkVerifyPod/warn-baseline_pod-12            	  391808	      3101 ns/op	    3368 B/op	      17 allocs/op
BenchmarkVerifyPod/warn-restricted_pod-12          	  349411	      3452 ns/op	    3368 B/op	      17 allocs/op
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12         	  208221	      5735 ns/op	    5864 B/op	      27 allocs/op
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12      	  249662	      4849 ns/op	    4616 B/op	      22 allocs/op
PASS
ok  	k8s.io/kubernetes/plugin/pkg/admission/security/podsecurity	10.707s
@liggitt
PodSecurity: optimize evaluation of fully-privileged namespaces
d5589ba 
benchmark                                                           old ns/op     new ns/op     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          2658          370           -86.07%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   2462          408           -83.42%
BenchmarkVerifyPod/enforce-privileged_pod-12                        2346          420           -82.11%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 2318          426           -81.64%
BenchmarkVerifyPod/enforce-baseline_pod-12                          3606          4259          +18.11%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   2032          341           -83.22%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3522          3322          -5.68%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 1893          327           -82.70%
BenchmarkVerifyPod/warn-baseline_pod-12                             3076          2964          -3.64%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3111          3069          -1.35%
BenchmarkVerifyPod/warn-restricted_pod-12                           3155          3223          +2.16%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3235          3443          +6.43%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5148          5193          +0.87%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4147          4295          +3.57%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4286          4363          +1.80%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4447          4482          +0.79%

benchmark                                                           old allocs     new allocs     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          12             2              -83.33%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   14             2              -85.71%
BenchmarkVerifyPod/enforce-privileged_pod-12                        12             2              -83.33%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 14             2              -85.71%
BenchmarkVerifyPod/enforce-baseline_pod-12                          17             17             +0.00%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   14             2              -85.71%
BenchmarkVerifyPod/enforce-restricted_pod-12                        17             17             +0.00%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 14             2              -85.71%
BenchmarkVerifyPod/warn-baseline_pod-12                             17             17             +0.00%
BenchmarkVerifyPod/warn-baseline_deployment-12                      19             19             +0.00%
BenchmarkVerifyPod/warn-restricted_pod-12                           17             17             +0.00%
BenchmarkVerifyPod/warn-restricted_deployment-12                    19             19             +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               27             27             +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        24             24             +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            22             22             +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     24             24             +0.00%

benchmark                                                           old bytes     new bytes     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          2120          208           -90.19%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   2304          208           -90.97%
BenchmarkVerifyPod/enforce-privileged_pod-12                        2120          208           -90.19%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 2304          208           -90.97%
BenchmarkVerifyPod/enforce-baseline_pod-12                          3368          3368          +0.00%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   2304          208           -90.97%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3368          3368          +0.00%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 2304          208           -90.97%
BenchmarkVerifyPod/warn-baseline_pod-12                             3368          3368          +0.00%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3552          3552          +0.00%
BenchmarkVerifyPod/warn-restricted_pod-12                           3368          3368          +0.00%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3552          3552          +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5864          5864          +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4800          4800          +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4616          4616          +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4800          4800          +0.00%
@liggitt
PodSecurity: preconstruct reused values
636c769 
benchmark                                                           old ns/op     new ns/op     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          370           228           -38.49%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   408           241           -40.86%
BenchmarkVerifyPod/enforce-privileged_pod-12                        420           242           -42.27%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 426           256           -39.84%
BenchmarkVerifyPod/enforce-baseline_pod-12                          4259          3006          -29.42%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   341           266           -22.12%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3322          3282          -1.20%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 327           260           -20.59%
BenchmarkVerifyPod/warn-baseline_pod-12                             2964          3020          +1.89%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3069          3127          +1.89%
BenchmarkVerifyPod/warn-restricted_pod-12                           3223          3330          +3.32%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3443          3533          +2.61%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5193          5405          +4.08%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4295          4358          +1.47%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4363          4513          +3.44%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4482          4588          +2.37%

benchmark                                                           old allocs     new allocs     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          2              1              -50.00%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   2              1              -50.00%
BenchmarkVerifyPod/enforce-privileged_pod-12                        2              1              -50.00%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 2              1              -50.00%
BenchmarkVerifyPod/enforce-baseline_pod-12                          17             17             +0.00%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   2              1              -50.00%
BenchmarkVerifyPod/enforce-restricted_pod-12                        17             17             +0.00%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 2              1              -50.00%
BenchmarkVerifyPod/warn-baseline_pod-12                             17             17             +0.00%
BenchmarkVerifyPod/warn-baseline_deployment-12                      19             19             +0.00%
BenchmarkVerifyPod/warn-restricted_pod-12                           17             17             +0.00%
BenchmarkVerifyPod/warn-restricted_deployment-12                    19             19             +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               27             27             +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        24             24             +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            22             22             +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     24             24             +0.00%

benchmark                                                           old bytes     new bytes     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          208           112           -46.15%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   208           112           -46.15%
BenchmarkVerifyPod/enforce-privileged_pod-12                        208           112           -46.15%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 208           112           -46.15%
BenchmarkVerifyPod/enforce-baseline_pod-12                          3368          3368          +0.00%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   208           112           -46.15%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3368          3368          +0.00%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 208           112           -46.15%
BenchmarkVerifyPod/warn-baseline_pod-12                             3368          3368          +0.00%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3552          3552          +0.00%
BenchmarkVerifyPod/warn-restricted_pod-12                           3368          3368          +0.00%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3552          3552          +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5864          5864          +0.00%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4800          4800          +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4616          4616          +0.00%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4800          4800          +0.00%
@liggitt liggitt force-pushed the podsecurity-benchmark branch from 0ec4ccc to ab5067a Compare September 21, 2021 20:33
@liggitt
Copy link
Member Author

liggitt commented Sep 21, 2021

comments addressed

@liggitt
Copy link
Member Author

liggitt commented Sep 21, 2021

weird:

ERROR: failed to create cluster: docker run error: command "docker run --name kind-control-plane --hostname kind-control-plane --label io.x-k8s.kind.role=control-plane --privileged --security-opt seccomp=unconfined --security-opt apparmor=unconfined --tmpfs /tmp --tmpfs /run --volume /var --volume /lib/modules:/lib/modules:ro -e KIND_EXPERIMENTAL_CONTAINERD_SNAPSHOTTER --device /dev/fuse --detach --tty --label io.x-k8s.kind.cluster=kind --net kind --restart=on-failure:1 --init=false --publish=127.0.0.1:45105:6443/TCP -e KUBECONFIG=/etc/kubernetes/admin.conf kindest/node:latest" failed with error: exit status 125

/retest

@liggitt
PodSecurity: avoid double parsing policy from namespace labels
32a5f41 
benchmark                                                           old ns/op     new ns/op     delta
BenchmarkVerifyPod/enforce-implicit_pod-12                          224           225           +0.40%
BenchmarkVerifyPod/enforce-implicit_deployment-12                   237           234           -1.31%
BenchmarkVerifyPod/enforce-privileged_pod-12                        259           245           -5.26%
BenchmarkVerifyPod/enforce-privileged_deployment-12                 261           254           -2.72%
BenchmarkVerifyPod/enforce-baseline_pod-12                          2967          2850          -3.94%
BenchmarkVerifyPod/enforce-baseline_deployment-12                   252           255           +0.87%
BenchmarkVerifyPod/enforce-restricted_pod-12                        3244          3125          -3.67%
BenchmarkVerifyPod/enforce-restricted_deployment-12                 258           261           +0.97%
BenchmarkVerifyPod/warn-baseline_pod-12                             2956          2841          -3.89%
BenchmarkVerifyPod/warn-baseline_deployment-12                      3034          2913          -3.99%
BenchmarkVerifyPod/warn-restricted_pod-12                           3276          3176          -3.05%
BenchmarkVerifyPod/warn-restricted_deployment-12                    3302          3157          -4.39%
BenchmarkVerifyPod/enforce-warn-audit-baseline_pod-12               5159          5132          -0.52%
BenchmarkVerifyPod/enforce-warn-audit-baseline_deployment-12        4208          4069          -3.30%
BenchmarkVerifyPod/warn-baseline-audit-restricted_pod-12            4336          4252          -1.94%
BenchmarkVerifyPod/warn-baseline-audit-restricted_deployment-12     4436          4316          -2.71%
@liggitt liggitt force-pushed the podsecurity-benchmark branch from ab5067a to 32a5f41 Compare September 22, 2021 14:28
tallclair
tallclair approved these changes Sep 22, 2021
View reviewed changes
Copy link
Member

@tallclair tallclair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 22, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit dce069c into kubernetes:master Sep 22, 2021
@liggitt liggitt deleted the podsecurity-benchmark branch September 27, 2021 13:05
@tallclair tallclair mentioned this pull request Sep 27, 2021
Closed
3 tasks
@liggitt liggitt mentioned this pull request Nov 3, 2021
Closed
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tallclair tallclair tallclair approved these changes

Assignees

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
SIG Auth
Archived in project
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.
3 participants
@liggitt @k8s-ci-robot @tallclair